Bloggers using the popular AWStats server statistical tool, often installed as standard with web hosting packages, should take caution following a number of blog breakins.
The exploit is known as the “AWStats ‘configdir’ Remote Command Execution Exploit” and was publicly disclosed on January 17th, by security firm iDefense. According to the iDefense advisory, remote exploitation of an input validation vulnerability in AWStats allows attackers to execute arbitrary commands under the privileges of the Web server. Once exploited, the remote attacker can execute arbitrary commands, as evidenced by the defacement perpetrated by the hacker group.
Blog that have been hacked include Jeremy Zawodny and Russell Beattie. Mainstream media sites have also been targeted, although it is not not known whether the AWstats exploit was a culprit, with Townnews.com reporting a similar attack, with 850 newspaper sites defaced.
The “Infektion Group”, a group of computer hackers believed to operate out of Brazil, has claimed credit for the attack and posted screenshots of the defacements.
A Google search for the group found 26,000 matches, most of them being defaced sites.
AWstats has released version 6.3 which fixes the flaw, however a lack of awareness of the flaw and hosts not updating their copies means that many blogs remain at risk.